pull in AllowLocal default to false branch

twilio-labs · Mar 2, 2023 · dea6545 · dea6545
2 parents e067ca0 + 3cc8769
commit dea6545
Show file tree

Hide file tree

Showing 7 changed files with 36 additions and 21 deletions.
diff --git a/README.md b/README.md
@@ -1,4 +1,4 @@
-# Twilio helper library for ASP.NET
+# Twilio helper library for ASP.NET
 
 [![Build](https://github.com/twilio-labs/twilio-aspnet/actions/workflows/ci.yml/badge.svg?branch=main)](https://github.com/twilio-labs/twilio-aspnet/actions/workflows/ci.yml)
 
@@ -293,7 +293,7 @@ Then configure the request validation:
     "AuthToken": "[YOUR_AUTH_TOKEN]",
     "RequestValidation": {
       "AuthToken": "[YOUR_AUTH_TOKEN]",
-      "AllowLocal": true,
+      "AllowLocal": false,
       "BaseUrlOverride": "https://??????.ngrok.io"
     }
   }
@@ -316,7 +316,7 @@ builder.Services
   .AddTwilioRequestValidation((serviceProvider, options) =>
   {
     options.AuthToken = "[YOUR_AUTH_TOKEN]";
-    options.AllowLocal = true;
+    options.AllowLocal = false;
     options.BaseUrlOverride = "https://??????.ngrok.io";
   });
 ```
@@ -430,7 +430,7 @@ In your _Web.config_ you can configure request validation like shown below:
        <requestValidation 
          authToken="[YOUR_AUTH_TOKEN]"
          baseUrlOverride="https://??????.ngrok.io"
-         allowLocal="true"
+         allowLocal="false"
        />
     </twilio>
 </configuration>
@@ -444,15 +444,15 @@ You can also configure request validation using app settings:
     <appSettings>
       <add key="twilio:requestValidation:authToken" value="[YOUR_AUTH_TOKEN]"/>
       <add key="twilio:requestValidation:baseUrlOverride" value="https://??????.ngrok.io"/>
-      <add key="twilio:requestValidation:allowLocal" value="true"/>
+      <add key="twilio:requestValidation:allowLocal" value="false"/>
     </appSettings>
 </configuration>
 ```
 
 If you configure request validation using both ways, app setting will overwrite the `twilio/requestValidation` configuration element.
 
 A couple of notes about the configuration:
-- `allowLocal` will skip validation when the HTTP request originated from localhost.
+- `allowLocal` will skip validation when the HTTP request originated from localhost. ⚠️ Only use this during development, as this will make your application vulnerable to Server-Side Request Forgery.
 - Use `baseUrlOverride` in case you are in front of a reverse proxy or a tunnel like ngrok. The path of the current request will be appended to the `baseUrlOverride` for request validation.
 
 > **Warning**
@@ -527,7 +527,7 @@ bool IsValidTwilioRequest(HttpContext httpContext)
         urlOverride = $"{options.BaseUrlOverride.TrimEnd('/')}{request.Path}{request.QueryString}";
     }
 
-    return RequestValidationHelper.IsValidRequest(httpContext, options.AuthToken, urlOverride, options.AllowLocal ?? true);
+    return RequestValidationHelper.IsValidRequest(httpContext, options.AuthToken, urlOverride, options.AllowLocal);
 }
 ```
 

diff --git a/src/Twilio.AspNet.Core/RequestValidationHelper.cs b/src/Twilio.AspNet.Core/RequestValidationHelper.cs
@@ -25,7 +25,7 @@ internal static bool IsValidRequest(HttpContext context)
 
             var authToken = options.AuthToken;
             var baseUrlOverride = options.BaseUrlOverride;
-            var allowLocal = options.AllowLocal ?? true;
+            var allowLocal = options.AllowLocal;
 
             var request = context.Request;
 
@@ -44,8 +44,11 @@ internal static bool IsValidRequest(HttpContext context)
         /// </summary>
         /// <param name="context">HttpContext to use for validation</param>
         /// <param name="authToken">AuthToken for the account used to sign the request</param>
-        /// <param name="allowLocal">Skip validation for local requests</param>
-        public static bool IsValidRequest(HttpContext context, string authToken, bool allowLocal = true)
+        /// <param name="allowLocal">
+        /// Skip validation for local requests. 
+        /// ⚠️ Only use this during development, as this will make your application vulnerable to Server-Side Request Forgery.
+        /// </param>
+        public static bool IsValidRequest(HttpContext context, string authToken, bool allowLocal = false)
             => IsValidRequest(context, authToken, null, allowLocal);
 
         /// <summary>
@@ -55,12 +58,15 @@ public static bool IsValidRequest(HttpContext context, string authToken, bool al
         /// <param name="context">HttpContext to use for validation</param>
         /// <param name="authToken">AuthToken for the account used to sign the request</param>
         /// <param name="urlOverride">The URL to use for validation, if different from Request.Url (sometimes needed if web site is behind a proxy or load-balancer)</param>
-        /// <param name="allowLocal">Skip validation for local requests</param>
+        /// <param name="allowLocal">
+        /// Skip validation for local requests. 
+        /// ⚠️ Only use this during development, as this will make your application vulnerable to Server-Side Request Forgery.
+        /// </param>
         public static bool IsValidRequest(
             HttpContext context, 
             string authToken, 
             string urlOverride, 
-            bool allowLocal = true
+            bool allowLocal = false
         )
         {
             var request = context.Request;

diff --git a/src/Twilio.AspNet.Core/TwilioOptions.cs b/src/Twilio.AspNet.Core/TwilioOptions.cs
@@ -22,7 +22,7 @@ public class TwilioClientOptions
     public class TwilioRequestValidationOptions
     {
         public string AuthToken { get; set; }
-        public bool? AllowLocal { get; set; }
+        public bool AllowLocal { get; set; }
         public string BaseUrlOverride { get; set; }
     }
 

diff --git a/src/Twilio.AspNet.Mvc/RequestValidationHelper.cs b/src/Twilio.AspNet.Mvc/RequestValidationHelper.cs
@@ -17,8 +17,11 @@ public static class RequestValidationHelper
         /// </summary>
         /// <param name="context">HttpContext to use for validation</param>
         /// <param name="authToken">AuthToken for the account used to sign the request</param>
-        /// <param name="allowLocal">Skip validation for local requests</param>
-        public static bool IsValidRequest(HttpContextBase context, string authToken, bool allowLocal = true)
+        /// <param name="allowLocal">
+        /// Skip validation for local requests. 
+        /// ⚠️ Only use this during development, as this will make your application vulnerable to Server-Side Request Forgery.
+        /// </param>
+        public static bool IsValidRequest(HttpContextBase context, string authToken, bool allowLocal = false)
         {
             return IsValidRequest(context, authToken, null, allowLocal);
         }
@@ -30,8 +33,11 @@ public static bool IsValidRequest(HttpContextBase context, string authToken, boo
         /// <param name="context">HttpContext to use for validation</param>
         /// <param name="authToken">AuthToken for the account used to sign the request</param>
         /// <param name="urlOverride">The URL to use for validation, if different from Request.Url (sometimes needed if web site is behind a proxy or load-balancer)</param>
-        /// <param name="allowLocal">Skip validation for local requests</param>
-        public static bool IsValidRequest(HttpContextBase context, string authToken, string urlOverride, bool allowLocal = true)
+        /// <param name="allowLocal">
+        /// Skip validation for local requests. 
+        /// ⚠️ Only use this during development, as this will make your application vulnerable to Server-Side Request Forgery.
+        /// </param>
+        public static bool IsValidRequest(HttpContextBase context, string authToken, string urlOverride, bool allowLocal = false)
         {
             if (allowLocal && context.Request.IsLocal && !context.Request.Headers.AllKeys.Contains("X-Forwarded-For"))
             {

diff --git a/src/Twilio.AspNet.Mvc/ValidateRequestAttribute.cs b/src/Twilio.AspNet.Mvc/ValidateRequestAttribute.cs
@@ -49,7 +49,7 @@ protected virtual void ConfigureProperties()
             AllowLocal = allowLocalAppSetting != null
                 ? bool.Parse(allowLocalAppSetting)
                 : requestValidationConfiguration?.AllowLocal
-                  ?? true;
+                ?? false;
         }
 
         public override void OnActionExecuting(ActionExecutingContext filterContext)

diff --git a/src/testapps/AspNetCore/Program.cs b/src/testapps/AspNetCore/Program.cs
@@ -1,15 +1,16 @@
+using Microsoft.AspNetCore.HttpOverrides;
 using System.Xml.Linq;
 using Twilio.AspNet.Core;
 using Twilio.TwiML;
 
 var builder = WebApplication.CreateBuilder(args);
 
-builder.Services.AddHttpClient();
-
 builder.Services
     .AddTwilioClient()
     .AddTwilioRequestValidation();
 
+builder.Services.Configure<ForwardedHeadersOptions>(options => options.ForwardedHeaders = ForwardedHeaders.All);
+
 // Add services to the container.
 builder.Services.AddControllersWithViews();
 builder.Services.AddEndpointsApiExplorer();
@@ -18,6 +19,8 @@
 var app = builder.Build();
 
 // Configure the HTTP request pipeline.
+app.UseForwardedHeaders();
+
 if (!app.Environment.IsDevelopment())
 {
     app.UseExceptionHandler("/Home/Error");

diff --git a/src/testapps/AspNetCore/appsettings.json b/src/testapps/AspNetCore/appsettings.json
@@ -21,7 +21,7 @@
     "RequestValidation": {
       "AuthToken": "MyAuthToken!",
       "AllowLocal": false,
-      "BaseUrlOverride": "https://90e6b6c4f366.ngrok.io"
+      "BaseUrlOverride": null
     }
   }
 }